On 04/16/2017 06:51 AM, Andrew Holway wrote:
There is no doubt that most security agencies have a long list of zero-
day exploits in their toolbox - I would hazard to suggest that they
wouldn't be doing their job if they didn't! But I seriously doubt they
would commission exploitable code in something that is openly
auditable.
P.
P., I used to think that too... indeed, I was thoroughly convinced of it.
But reality changed my mind.
Indeed. I think the assertion "OSS is somehow safer because of community
audit" is a logical fallacy. How would one go about "auditing" in the first
place? Even if the various Intelligence agencies are not injecting
vulnerabilities then they would certainly be in a strong position to
discover some of the holes already existing some time before they become
public.
I'm more worried about cloud services and the large number of root
certificates that software trusts by default.
That's where a lot of the hacks are going to happen, and AFAIK the only
defense against it is DNSSEC + DANE which very few zones actually utilize.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos